Clearly, the Home Office hasn’t examined the patch release model of
Microsoft, in that they only release patches for vulnerabilities that
are known to be being exploited, or are likely to become immediately
exploited.

Many security researchers have has issues with Microsoft’s suggestion
that releasing patches enables those without prior knowledge to
determine the vulnerability, however this logic is flawed, as
‘spearfishing’ and similar limited-distribution attacks typically use
vulnerabilities that are known, but without any publicly available
patch.

In short, if a patch is published, attackers can engineer an exploit,
however this is only after all auto-updating systems have been made
immune. Systems that are not auto-updating will not receive the patch,
but would also have not had many other patches – for which legacy
exploits are widely available.

Conversely, other web browsers vendors produce patches much more
often, and their browsers check for, and prompt for installation,
patches at every startup and periodically afterwards – so unpatched
versions are highly unusual.